Otto Sulin

4.9K posts

Otto Sulin banner
Otto Sulin

Otto Sulin

@ottosulin

Head of Security @supermetrics | Interested in building secure software and everything outdoors. @OWASP_AISVS co-lead.

🇪🇺 Katılım Haziran 2009
2.3K Takip Edilen2.1K Takipçiler
Otto Sulin retweetledi
Otto Sulin retweetledi
Amanda Orson
Amanda Orson@amandaorson·
The faster technology moves, the more I think about Bezos' question What won't change in the next 10 years? Things I've been writing down over time: - Humans will always need shelter, food, energy, and healthcare. - The desire for ownership and the accumulation of wealth. - The physical world will move more slowly than the digital one. - Every increase in technological capability, especially AI, will require more energy. - People and businesses will continue to need access to capital. - Capital will continue to seek returns that exceed inflation. - Underwriting methods evolve, but demand for credit (loans) is persistent. - Trust remains scarce and becomes increasingly valuable as content, code, and fraud become cheaper. - Verified identities and reputation becomes more important as information becomes abundant and synthetic. - Long-term wealth creation and dynastic (multi-generational) thinking predate modern technology, and will persist. - Coordination and transaction costs never fully disappear; market friction will continue to justify the existence of firms and intermediaries. - People will continue to compete for status. - Consumers will pay a premium for products and services that confer status. - Time remains fixed at 24 hours per day. - But attention is a finite resource and an enduring constraint. - Products that credibly save time (or enable delegation) have a perpetual market. - Inaccessible, proprietary data will be a persistent moat. The more inaccessible and difficult to aggregate, the deeper the moat. - People want accountability, recourse, and clearly identifiable responsibility when things go wrong. - Regulation consistently lags technological innovation. - Compliance requirements, licensing, and regulatory moats persist even when machines can perform the underlying task. - Local knowledge remains valuable and difficult to replicate. - Heterogeneous markets (like real estate) continue to reward people with deep contextual understanding. - Incumbent organizations tend to underinvest in disrupting their own businesses, which always creates opportunities for challengers. Bezos' insight on what wouldn't change in 10 years was "Customers will always want lower prices and faster delivery." It's boring/ true, but I think that's the point. Everything we build today can and will be rebuilt more cheaply, faster by someone else. Build on the invariants, not the trends. What have I missed?
English
191
732
5.2K
951K
Otto Sulin retweetledi
Md Ismail Šojal 🕷️
fully uncensored Cybersecurity-specialized model tuned on exploits, pentesting and Run locally on MacBook, delivers expert-level offensive & defensive insights. - Zero refusals - Exploit writing - vuln analysis - Fully uncensored - OWASP, and MITRE. - fine-tuned deep on real security data - 11 quants available from tiny Q2_K to full precision, Runs great on consumer hardware. Runs 100% offline on your laptop no refusals. Perfect for CTFs, bug bounties, blue/red teaming.
Md Ismail Šojal 🕷️ tweet media
Md Ismail Šojal 🕷️@0x0SojalSec

x.com/i/article/2074…

English
21
217
1.4K
112.8K
Michael Coates
Michael Coates@_mwc·
Big Update for me - a new chapter and I'm now CISO of @SolanaFndn . I've always been drawn to fast moving new frontiers. Head of Security of Mozilla during the height of the browser wars, the first CISO of Twitter as they burst onto the world's stage, and even as a startup founder innovating on data security for enterprise SaaS as cloud deployments skyrocketed. Years ago through the acquisition of our startup, Altitude Networks, to CoinList I found my way into crypto. I'm excited to share that I'm continuing the crypto adventure as CISO of Solana Foundation. Why Solana? This is the chain doing tens of billions of dollars in stablecoin volume a day. It's the chain where SpaceX's tokenized shares went live the same day as its Nasdaq debut. It's processing more transactions daily than most of crypto combined. Solana is establishing itself as the future of financial infrastructure, at massive scale. Now, this is not without its challenges. I'm keenly aware of the adversaries' incentive to separate people from their crypto. I'm aware of the rising threats from malicious use of AI (something I testified to Congress about earlier this year), and the massive power for defense when harnessed effectively. And I’ve felt the push and pull when innovative new approaches meet established traditional businesses. I'm thrilled to work across the foundation and the entire Solana ecosystem to help tackle these challenges head on. That means building security into this industry, from operational and appsec fundamentals to the crypto-specific challenges, working with policymakers and standards bodies to get cybersecurity regulation right, and bringing the lessons and battle scars I've picked up along the way. Innovation is messy and security is hard. This is the nexus where I enjoy working to solve the hardest challenges alongside the smartest folks around the world. Onward!
Michael Coates tweet media
English
123
48
566
44.1K
Otto Sulin
Otto Sulin@ottosulin·
Final moat against AI will always be taking responsibility.
Prajwal Tomar@PrajwalTomar_

Vibe coders are getting sued. People are shipping apps with real users and skipping the boring stuff that kills them. A 20+ year dev shared the pre-launch checklist every AI builder needs. I added what I learned after shipping 60+ apps at the agency. Don't skip this: 1. Protect yourself, not just your app. The moment you collect user data you're in legal territory (GDPR, CCPA). Have a privacy policy. Know where user data lives. 2. Row Level Security. Without RLS, anyone can open DevTools and read your entire database. Supabase → Auth → Policies. Zero policies means your app is naked. 5 min to fix. 3. Test the failure path, not just the happy path. Wrong password 5x. Reset for an email that doesn't exist. Verification link clicked twice. Signup with an existing email. Catches 80% of auth bugs. 4. Security baseline in 2 min. Prompt your AI: "Review my app as a security specialist and make sure I have strong security headers and a solid baseline security posture." 5. OWASP. Prompt: "Review my app against OWASP standards and highlight vulnerabilities." This is where SQL injection, XSS and auth bugs actually get caught. 6. Client-side validation is UX, not security. Attackers disable JS and hit your API directly. Validate again on the server. Every time. 7. AI code leaks data in 3 spots: .env values in the frontend, API responses returning too much, secrets in logs. Prompt: "Check my app for credential or sensitive data leaks in frontend or API routes." 8. API keys in the frontend means game over. If it's in the browser, assume it's already taken. Move it server-side or proxy it. 9. Rate limits before someone burns your API bill. Cap every endpoint hitting a paid API. I've watched a Supabase bill jump from $20 to $200 in a day. 10. CAPTCHA on public forms (Cloudflare Turnstile is free) plus CORS locked to your domain. 10 min, kills bot floods. 11. Error messages that don't leak. "User not found", not "SELECT * FROM users failed". Log full errors server-side, show users generic messages. Build fast. Just don't ship naked. (full breakdown in my article below)

English
2
0
1
53
Otto Sulin retweetledi
Gergely Orosz
Gergely Orosz@GergelyOrosz·
This is very interesting. Coinbase seems to have lowered their token spend ($$) to about half, by 1) routing to cheap inference like GLM 5.2 and Kimi 2.7 that are still pretty performant 2) Smart routing + caching They still use the same tokens as before. Start of a trend?
Brian Armstrong@brian_armstrong

How to keep AI spend flat while token usage grows exponentially: Not with friction and spend alerts. With better defaults, routing, and caching. Better Defaults (not Usage Caps) – Engineers can choose any model they want, but defaults matter. We’re experimenting with defaulting to open weight models like GLM 5.2 and Kimi 2.7 through our LLM gateway, while still encouraging engineers to choose the right model for the task. 91% of our employees were never hitting their usage caps, so instead of lowering caps and driving up alerts, we're moving to cheaper defaults. Note that code reviews use a diversity of models, so they can check each other's work. Better Routing – In our custom harnesses, we preprocess prompts and route to the best model for the job, considering cache hits and model pricing. For instance, you may want a frontier model for planning, but not for execution where they can be overkill. Ultimately, humans shouldn't be choosing models - AI can automate this task. Better Caching – Cache misses are the easiest way to drive your cost up. All of our requests are cache aware, so we’re reusing a warm cache wherever possible. For example, our cache hit rate went from 5% → 60% in LibreChat once properly implemented. Keep Context Lean – Start fresh sessions when switching tasks. Scope file context narrowly. Disconnect unused tools. Don't just compact. The goal isn't fewer tokens used, it's fewer tokens wasted. Better Visibility – Our engineers can use as many tokens as they want, from whatever model they want, but we’ve made usage visible – and the more you spend on AI, the more impact we expect. The goal isn't to suppress usage. It's to build the infrastructure that makes exponential growth sustainable. Putting this into practice has cut our AI spend nearly in half, while our token usage continues to grow.

English
116
156
2.7K
649.5K
Otto Sulin retweetledi
Jim Manico from Manicode Security
The @OWASP_AISVS is going live tomorrow and I want to deeply thank @ottosulin 🇫🇮 and @ricokomenda 🇩🇪 for their tireless efforts over the last year. They have both been humble active participants from the early days and helped drive AISVS 1.0 to completion. Thank you gentlemen. We could not have made it this far without you!
Jim Manico from Manicode Security tweet media
English
0
2
8
631
Otto Sulin
Otto Sulin@ottosulin·
It has been a real pleasure with our team @manicode, @ricokomenda, @vtknightmare & Raza Shariff on AISVS. The project has taken many, many long evenings and afternoons. Feels great to finally release 1.0 tomorrow here at @owasp Global AppSec in Vienna 🎉
Jim Manico from Manicode Security@manicode

The @OWASP_AISVS is going live tomorrow and I want to deeply thank the first major volunteer and active co-leader, @ottosulin 🇫🇮 He has been a humble active participant from the early days and has helped drive AISVS to completion. Thank you @ottosulin we could not have made it this far without you!

English
1
1
3
555
Otto Sulin retweetledi
Katie Paxton-Fear
Katie Paxton-Fear@InsiderPhD·
I wrote up some of the research my colleagues did over the weekend on the performance of open weight models our vulnerability identification benchmarks, if you’re building hacking agents this probably be an interesting read!
Katie Paxton-Fear tweet media
English
4
28
262
15.6K
Otto Sulin
Otto Sulin@ottosulin·
You can't do security operations with costs of Fable. You just can't. Triaging vulns, analyzing alerts - it's high volume, but also requires intelligence. At the cost and intelligence levels of Kimi K2.7 and GLM 5.2 this is actually realistic without blowing the budget.
Hassan@nutlope

x.com/i/article/2067…

English
0
0
0
43
Otto Sulin
Otto Sulin@ottosulin·
Researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd. krebsonsecurity.com/2026/06/popa-b…
English
0
0
0
68
Otto Sulin retweetledi
The Europeans
The Europeans@TheEuropeansHQ·
🚨 The US government has ordered the suspension of access to Anthropic's frontier AI models Fable 5 and Mythos 5 for all foreign nationals worldwide, citing national security concerns. Now imagine a European company, hospital, ministry or public administration that has built critical processes around a frontier AI model. From one day to the next, access disappears. Workflows stop. Services are disrupted. Teams scramble to migrate. Millions are spent on emergency replacements. This is what technological dependence looks like. When access to critical technologies depends on decisions taken by foreign governments, Europe no longer fully controls its ability to act, compete or innovate. AI is only one example. We explored several scenarios showing how Europe could be "switched off" through dependencies in critical technologies, infrastructure and supply chains. ⬇️ Read the article: the-europeans.eu/could-europe-b…
Anthropic@AnthropicAI

The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Claude models is not affected. We apologize for this disruption to our customers. We believe this is a misunderstanding and are working to restore access as soon as possible. Read our full statement: anthropic.com/news/fable-myt…

English
37
97
366
25.3K
Otto Sulin retweetledi